Account takeover in

Aug 3, 2020 · 3 min read

In this year April 1, I quit my job due to some reason and so I can spend some times in Hackerone. I stopped finding bugs in 2018 because I have insecurity for my skills and I feels I don’t have enough skill set to deep dive into full-time bug hunting and so I tried to learn infra pentest, binary exploitation, source code analysis and some lesser know web attack ..etc. In April 8th, I started digging into Mailru program on Hackerone and I found account takeover bug in one of their subdomain. The bug is a little bit strange and so I want to share other hunters. Some ppls (who know me) think that I spend most of my time in bug hunting but actually I am not, I only spend less than 10hrs a week for hunting bugs. My goal is to be a security engineer who can model the threats, identify and can fix security bugs.

Normal application flow

When a user need to reset their password, he need to click restore access and need to put their associate email.

After entering user email into password reset functionality, one time password reset code is sent to their email and it redirected to

User then put their one time password and if password is correct, it redirects to

Then he can reset their password and the requests contains

{“password”:”password”,”email”:””,”code”:”onetimepassword”} .

Abusing password reset functionality

Due to lack of access control in their password reset functionality, I can reset every user’s password. I visit and then I changed original request which is {“password”:”password”,”email”:””,”code”:”onetimepassword”} to {“password”:”reset”, “email”: “”} as shown in below.

After removing code parameter and forward the requests and then it redirected to

I just shocked and tried to login with victim email but failed xD. I asked myself why?. The response said password is reset successfully.

So, I retest their password reset functionality and this time I clicked to come in link(see in above screenshot?) and surprisingly, victim’s password is reset successfully and I can login to victim account.


Honestly, I still don’t know how they implement password reset functionality in their back-end. In general, the vulnerable web application should reset successfully and it doesn’t matter clicking to come in link or not, but in this scenario they checked something in their back-end(may be Referer?). So if you don’t to click to come in link, the password reset functionality will fail.

I quickly reported to bb program and they rewarded $1500 for this bug.